Malvertising and Exploit Kits Still a Significant Threat: FireEye

Malicious online ads and the exploit kits (EK) used to infect computers with various types of malware continue to pose a significant threat, FireEye warns.

Used in “drive-by” attacks, malvertising can infect computers without users even being aware that malicious code on the web page they are visiting is covertly installing malware. Bad actors use HTTP redirect protocols or iframe redirects or code injected in legitimate web pages to exploit unmitigated vulnerabilities and infect users. In some cases, domain shadowing is used to hide rogue ad servers as legitimate advertisers.

As FireEYe explains, popular ad servers sometimes redirect to affiliate networks, and these organizations might forward traffic to servers supporting other malicious domains, referred to as “Cushion Servers” or “Shadow Servers.”

Over the past four months, FireEye observed malvertising campaigns associated with a group of first layer compromise pages that used the same injected script to redirect to Magnitude EK. Popular mainly in the APAC region, the EK was observed affecting web servers with a specific header information, with the injected script appearing only when the site was being loaded through the advertisement and not when the URLs were accessed directly.

Some of the domains associated with the EK were hosted on Webzilla B.V and appear to be from the same actor, while others were Flash game websites registered with ‘Alpnames Limited’ registrar and hosted using a PlusServer AG server ISP in Germany. On rare occasions, advertiser poptm[.]com hosted on CloudFlare was used.

The researchers also observed campaigns abusing domains registered under [.]organisation: TTA ADULTS LIMITED and using advertisers belonging to Adcash group, along with other campaigns abusing domains registered under [.]organisation: China Coast and using ads.adamoads[.]com, and other ad sites for redirection.

RIG EK, currently the leading toolkit out there, has been associated with well-known campaigns such as EITest Gate, Pseudo-Darkleech, and Afraid Gate, but also with other malvertising campaigns that use redirection.

In late 2016 and early 2017, FireEye observed [.]info and [.]pw TLD domains that acted as intermediate redirect domains invoked via legitimate advertisers, but which lead to RIG EK domains instead. These were ad service-loaded casino-themed domains featuring injected malicious iframes for redirection, acting as shadow servers for the EK.

The ad service was provided by AdCash ad group, which stopped supporting these domains in February 2017. The campaign then switched to new domains and started leveraging the popular ad service popcash[.]net, which has been notified on the matter.

Sundown, the second most active EK at the moment according to Symantec, is leveraging redirection in a series of malvertising campaigns as well, including one that leverages domains hosted on two neighboring addresses: 217.23.13.111 and 217.23.13.110. Multiple legitimate advertisers are currently redirecting to one of the domains hosted on these IPs, which then redirect to a Sundown EK landing page.

The security researchers also discovered a group of redirect domains that has been leveraging advertiser popcash[.]net to lead users to Sundown EK landing pages via a chain of two domains. Another campaign was observed using shadow servers loaded via legitimate ad sites hosted on Webzilla B.V.

Another active toolkit is Terror EK, which FireEye says is similar to Sundown EK. The threat has been consistently leveraging advertiser serve.popads[.]net to redirect traffic to domains it controls, with some instances observed using this technique as early as December last year. Terror EK was observed downloading ccminer payloads.

“Malvertising and exploit kits continue to be a significant threat to regular users. While we strongly recommend using ad blockers for all web browsers, we understand that it’s not always possible. For that reason, the best approach is to always keep your web browsers and applications fully updated. Also, regularly check your browser to see what plugins are being used and disable them if they are not necessary,” FireEye notes.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.